As I’ve continued to explore penetration testing (and studying for my OSCP), I’ve encountered various issues which, although not exactly complicated, were unfamiliar enough to me present an issue. I don’t claim to have invented or discovered any of this myself and pretty much everything I’ve learned so far has been cribbed from people far more intelligent and industrious than me. I list this information here mostly for my own benefit to refer back to in the event my bookmarks get wiped out. Hopefully I’ll continue adding links and information as I come across it.
Shells without TTYs
At one point I found myself with a shell from a vulnerable web application and I was able to dump the database via credentials in the comprimised web app. I noticed that one of the users on the box also had credentials listed in the database I had just exported. Figuring it was worth a shot to see if they had used the same password for both accounts, I tried to su, only to discover that su wouldn’t execute without being able to read from a TTY.
After googling, I came acros this solution:
python -c 'import pty; pty.spawn("/bin/bash")'
It’s my understanding that this doesn’t net an actual terminal, but it’s functional enough to fool programs, including su. There are other methods that I’ve found as well, but this remains the only one that I’ve actually tried. God help me when I find a machine without python…
FTP and spaces in filenames
After finding a vulnerablility in an FTP program that allowed for arbitrary file retreival, I ran into an issue where files or directories with spaces in their filename would not be recognized. I tried quoting the path and escaping the spaces, but no luck. Fortunately, this was in a Windows environment, so I was actually able to navigate by using the DOS filename. Equivalent DOS filenames can be obtained by shortening the normal name to six characters and appending a ~n, where n is a number (usually one, unless there’s another filename with the same six letter prefix, in which case adjust the number as appropriate).
Pass the hash and pth-winexe
After dumping passwords from a windows box, I wanted to attempt a “pass the hash” attack and login into another box using only the hash. After reading some official documentation, I was instructed to specify the hash by exporting it into an environmental variable (SMBHASH=XXXXXXXXXXX; export SMBHASH). However, this did not work for me. Instead, I had to pass the information on the command line in the form of user%hash. For example:
pth-winexe -U administrator%XXXXXXXXXXXXXXXXXXXXXXXX:XXXXXXXXXXXXXXXXXXXX //192.168.1.9 cmd
Windows File Contents
Proving how incredibly remdedial my knowledge of computing is, I had no idea how to cat file contents on Windows. I mean, I’ve been using Windows for multiple decades now, but this is just never something I had to do from the command line. For all of you in a similar predicament (please dear God, don’t let this be common knowledge. I can still save some kind of face), it’s type. How exactly “type” relates to file contents I have no idea, but there you go.